CN110248363A - It is authenticated by the safe EAP-AKA of agency - Google Patents

It is authenticated by the safe EAP-AKA of agency Download PDF

Info

Publication number
CN110248363A
CN110248363A CN201910164884.7A CN201910164884A CN110248363A CN 110248363 A CN110248363 A CN 110248363A CN 201910164884 A CN201910164884 A CN 201910164884A CN 110248363 A CN110248363 A CN 110248363A
Authority
CN
China
Prior art keywords
agent equipment
peer device
eap
signal
aka
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910164884.7A
Other languages
Chinese (zh)
Inventor
S·哈特利
L·V·塔纳扬克孜尔
Y-K·柯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
GM Global Technology Operations LLC
Original Assignee
GM Global Technology Operations LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by GM Global Technology Operations LLC filed Critical GM Global Technology Operations LLC
Publication of CN110248363A publication Critical patent/CN110248363A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/84Vehicles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • H04W4/44Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A kind of safe EAP-AKA (Extensible Authentication Protocol-Authentication and Key Agreement) Verification System includes the agent equipment of offer with the motor vehicles communication system of the authenticator wireless communication of service provider.Agent equipment includes the Wi-Fi component for Wi-Fi connection.Peer device is separated from agent equipment.Peer device includes the UMTS Subscriber Identity Module (USIM) of storage IMSI International Mobile Subscriber Identity (IMSI).Transport Layer Security (TLS) component for defining Ethernet tunnel component is connected to each of agent equipment and peer device.TLS provides the communication between agent equipment and peer device.EAP state machine is connected to agent equipment.

Description

It is authenticated by the safe EAP-AKA of agency
Introduction
This disclosure relates to which a kind of be used to safely transmit nothing by wireless messaging to motor vehicles and from motor vehicles The system and method for line message.
Peer device (such as cellular phone) is able to use for the Wi-Fi technology of WLAN and based on (electrical With Electronic Engineering Association) IEEE 802.11 other equipment of standard communicate.Wi-Fi network allow computer, smart phone with And other equipment be connected to internet and in presumptive area wirelessly.It is interconnected to be accessed via Wi-Fi network Net uses cellular carriers cellular network service, usually using verification process and key agreement.Authentication specifications, open source software, with And vendor implementation mode all assume peer device include for Wi-Fi communication Wi-Fi chipset and have for 3G and The cellular chip group of the UMTS Subscriber Identity Module (USIM) of 4G network communication.
Known and usually used Authentication and Key Agreement agreement is (such as expansible with session key distribution for authenticating Authentication protocol (EAP)) use Authentication and Key Agreement (AKA) mechanism.Example protocol EAP-AKA (RFC4187) is defined Verification process and message exchange between peer device and authenticator (carrier).Pass through WiFi network usually using 802.1X agreement Message is sent between peer device and authenticator.Recently, it is identified using 802.1X as a part of AKA agreement " MintM " (go-between) susceptibility, and 802.1X has been modified to use using random number generator and key 802.1AE adds the layered encryption defined in 802.1X-2010.
Long term evolution (LTE) is the standard for the high-speed radiocommunication of mobile device and data terminal.LTE security system Structure regulation, when the key sent using random number generator and authenticator, generation is used to generate master key by peer-to-peer Integrity Key and cryptographic key.Peer device comprising USIM and the agent equipment comprising key information can be in motor vehicles In be physically separated.Therefore, it can be led on the unprotect medium between peer device and agent equipment with plain text transmit key Cause man-in-the-middle attack.Furthermore it is known that specification is without definition when peer device is connected to another ECU (system) in different segment When what does.
Therefore, it although their expected purpose of current authentication protocol realization, needs a kind of for transmitting EAP-AKA The new and improved system and method for certification, wherein by peer device from the agent equipment separation comprising USIM.
Summary of the invention
According to several aspects, safe EAP-AKA (Extensible Authentication Protocol-Authentication and Key Agreement) Verification System includes mentioning For the agent equipment of the motor vehicles communication system with the authenticator of service provider wireless communication.Peer device is set from agency Back-up from.The Ethernet tunnel for defining Transport Layer Security (TLS) component is connected to each of agent equipment and peer device, And it provides the communication between agent equipment and peer device.
In another aspect of the present disclosure, when receiving EAP Request-id signal from authenticator by agent equipment, The request that agent equipment will be used for IMSI International Mobile Subscriber Identity (IMSI) signal is forwarded to the peer device of request IMSI.
In another aspect of the invention, IMSI is returned to via TLS by the IMSI return signal that peer device generates Agent equipment.
In another aspect of the present disclosure, it is wirelessly forwarded to authenticate by EAP response-id signal that agent equipment generates Device.
In another aspect of the present disclosure, the polyalgorithm of authenticator is run to generate random number and authentication token, should be with Machine number and authentication token are all returned to agent equipment in EAP response-AKA challenge signal.AKA challenge-request signal via TLS is forwarded to peer device from agent equipment.AKA algorithm in peer device is receiving AKA challenge-request signal luck Row, with the authenticity of authentication verification token, so that identification whether there is between peer device, agent equipment and authenticator It is mutually authenticated.
In another aspect of the present disclosure, it is mutually authenticated if existed between peer device, agent equipment and authenticator Peer device returns to AKA challenge-response signal to agent equipment via TLS.Agent equipment is by the EAP response-AKA including key Challenge signal wireless forwarding is to authenticator.
In another aspect of the present disclosure, the server inspection of authenticator is challenged from the EAP response-AKA of agent equipment Signal, and verify whether to exist using the key from peer device and be mutually authenticated code, and if it have been confirmed that mutually Authentication codes then issue certification pass signal.
In another aspect of the present disclosure, if the instruction of peer device refusal is in peer device, agent equipment and certification There is no the authentication codes that are mutually authenticated between device, then AKA authenticates-refuses that signal is generated by peer device and it is by from equity Device forwards are to agent equipment.EAP response-AKA certification refusal signal is generated by agent equipment and it is forwarded to from agent equipment Authenticator.
In another aspect of the present disclosure, peer device includes the UMTS Subscriber Identity Module (USIM) for storing IMSI.
In another aspect of the present disclosure, agent equipment includes the Wi-Fi member for Wi-Fi connection.
According to several aspects, safe EAP-AKA (Extensible Authentication Protocol-Authentication and Key Agreement) Verification System includes mentioning For the agent equipment of the motor vehicles communication system with the authenticator of service provider wireless communication, which includes being used for The Wi-Fi component of Wi-Fi connection.Peer device is separated from agent equipment, which includes storage international mobile subscriber Identify the UMTS Subscriber Identity Module (USIM) of (IMSI).Transport Layer Security (TLS) component for defining Ethernet tunnel component connects It is connected to each of agent equipment and peer device, and it provides the communication between agent equipment and peer device.EAP State machine is connected to agent equipment.
In another aspect of the present disclosure, peer device receives EAP message by TLS and handles EAP message, and rings Should be in agent equipment, then which connect with EAP state machine.
In another aspect of the present disclosure, EAP message is fed by the EAP state machine on agent equipment, then the generation Reason equipment issues one group of smart card API for executing EAP communication process.
In another aspect of the present disclosure, when receiving EAP Request-id signal from authenticator by agent equipment, The signal of request IMSI is forwarded to peer device from agent equipment.
In another aspect of the present disclosure, the IMSI return signal generated by peer device is to return to IMSI via TLS To agent equipment.EAP response-id signal is generated by agent equipment and is wirelessly forwarded to authenticator.
It, should be with by authenticator operation polyalgorithm to generate random number and authentication token in another aspect of the present disclosure Machine number and authentication token wirelessly return to agent equipment in EAP response AKA challenge signal.
In another aspect of the present disclosure, AKA challenges request signal and is forwarded to peer device from agent equipment via TLS. AKA algorithm operation when receiving AKA challenge-request signal in peer device, with the authenticity of authentication verification token, from And it identifies to whether there is between peer device, agent equipment and authenticator and be mutually authenticated.If deposited between peer device It is being mutually authenticated, then agent equipment and authenticator peer device return to AKA challenge-response signal to agent equipment via TLS.Generation Equipment is managed by the EAP response-AKA challenge signal wireless forwarding including key to authenticator.
According to many aspects, one kind is recognized for transmitting safe EAP-AKA (Extensible Authentication Protocol-Authentication and Key Agreement) The method of card, comprising the following steps: provided and the authenticator of service provider to the agent equipment of motor vehicles communication system Wireless communication, which includes the Wi-Fi component for Wi-Fi connection;IMSI International Mobile Subscriber Identity (IMSI) is stored In the UMTS Subscriber Identity Module (USIM) in the peer device separated with agent equipment;Use definition Ethernet tunnel component Transport Layer Security (TLS) component agent equipment is connected to peer device, with provide between agent equipment and peer device Communication;And EAP state machine is connected to agent equipment.
In another aspect of the present disclosure, this method further comprises: being fed back by the EAP state machine on agent equipment EAP message;And one group of smart card API is sent for executing EAP communication process from agent equipment.
In another aspect of the present disclosure, this method further comprises: receiving EAP from authenticator by agent equipment When request-id signal, the signal of IMSI will be requested to be forwarded to peer device from agent equipment, IMSI is generated by peer device and is returned Letter in reply number, IMSI is returned to agent equipment via TLS;And generate the EAP Request-id signal generated by agent equipment EAP Request-id signal is wirelessly forwarded to authenticator.
From datail description provided herein, further areas of applicability will become bright.It should be understood that description and tool The purpose that body example is merely to illustrate, it is no intended to limit the scope of the present disclosure.
Detailed description of the invention
Attached drawing described herein is for illustration purposes only, it is no intended to be limited the scope of the present disclosure in any way.
Fig. 1 is secure extensible authentication protocol-Authentication and Key Agreement Verification System figure accoding to exemplary embodiment;
Fig. 2 is the flow chart in the security message path of the EAP-AKA system of Fig. 1;And
Fig. 3 is the figure for describing the multiple available communication links for the EAP-AKA system that can be used for Fig. 1.
Specific embodiment
It is described below and is substantially only exemplary, it is no intended to limit the disclosure, application or purposes.
With reference to Fig. 1, the safe EAP-AKA for providing the communication system 12 for being located in motor vehicles 14 is (expansible to recognize Demonstrate,prove Protocol-Authentication and key agreement) Verification System 10.The component of communication system 12 includes having to lead to for wireless 3G or 4G LTE The peer device 16 of the UMTS Subscriber Identity Module (USIM) 18 of letter.Peer device 16 can have the login of dedicated network router Address 192.168.1.102.Agent equipment 20 is physically separated with peer device 16, and uses definition Transport Layer Security (TLS) 22 Ethernet cable " tunnel " and 16 direct communication of peer device.Due to the configuration of vehicle space and communication system 12, Therefore " physical separation " between peer device 16 and agent equipment 20 can be from about 2cm to greater than 1 meter.
TLS 22 allows existing vehicular communication system to be upgraded to provide in the case where wherein an equipment is not present Both peer device 16 and agent equipment 20 (if in the case that one of equipment is not present), and allow peer device 16 are connected to agent equipment 20, but regardless of the space interval in vehicle 14 between two components how.Agent equipment 20 can be with With dedicated network router entry address 192.168.1.100.Communication system 12 may further include also logical with TLS 22 The gateway 24 of letter.Peer device 16 may include wireless LTE receiver-transmitter 26.Agent equipment 20 may include that Wi-Fi connects Receive device-transmitter 28.
With reference to Fig. 2 and referring again to FIGS. 1, flow chart 30 present for authenticate communication system 12 in vehicle 14 and by The mulitpath for the communication between authenticator 32 that carrier service provides.The operator of verification process is usual to part 34 is acted on behalf of It is known, and in order to which integrality is being discussed herein.The agency of verification process passes through to counterpart 36 in agent equipment 20 Between peer device 16 comprising TLS 22 and the authenticating step that is added in order to ensure the secure communication on TLS 22 and Different from known device (such as cellular phone).
It authenticates successfully section 38 and the path that successful vehicle is operated to carrier authorization is provided.
Initially, when issuing the request for communication to operator from vehicle 14, the authenticator 32 of operator was forwarded by generation Manage the received EAP Request-id signal 40 of equipment 20.When receiving EAP Request-id signal 40, agent equipment 20 will be used It is forwarded to the peer device 16 of request IMSI in the request of IMSI International Mobile Subscriber Identity (IMSI) signal 42, which usually saves In USIM 18.Peer device 16 retrieves IMSI from USIM 18, and IMSI is forwarded to generation in IMSI return signal 44 Manage equipment 20.Agent equipment 20 generates EAP response-id signal 46, which further includes the NAI of user, And it forwards the information to authenticator 32.Authenticator 32 runs one or more algorithms 48, which generates random number (AT_RAND) it is returned in EAP response AKA challenge signal 50 with authentication token (AT_AUTN), the random number and authentication token To agent equipment 20.
AKA challenge-request signal 52 is forwarded to peer device 16 by agent equipment 20.Peer device 16 runs one or more A AKA algorithm 54 is with the authenticity of authentication verification token (AT_AUTN), to realize in communication system 12 and the (operation of authenticator 32 Quotient) between be mutually authenticated.AKA challenge-response signal 56 is returned to agent equipment 20 by peer device 16, and the agent equipment is anti- Come over to be forwarded to authenticator 32 for these values as EAP response-AKA challenge signal 58.The server 60 of authenticator 32, which checks, to be come It is mutually authenticated code to verify from the response of agent equipment 20, and using the export key from peer device 16, and such as Fruit, which is mutually authenticated, to be identified, then issues certification pass signal 62.
If authenticator 32 refuses authentication codes, authenticator certification refusal section 64 provides communication path.
EAP response-AKA challenge signal 58 is received if followed, server 60 is using leading from peer device 16 It is incorrect, the then server 60 of authenticator 32 that identification, which is mutually authenticated code, during the response inspection for being mutually authenticated code of key out EAP Request-AKA- notification signal 66 is issued to agent equipment 20.The EAP state machine 68 of agent equipment 20 is terminated, and EAP Response-AKA notification signal 70 is generated by agent equipment 20 together with connection-failure signal 72, they are returned to authenticator 32。
When peer device 16 refuses authentication code, Peer Authentication refuses section 74 and provides path.
Similar to above-mentioned successful verification process, authenticator 32 runs algorithm 48, which generates random number and certification enables Board, these random numbers and authentication token are forwarded to agent equipment 20 in EAP response-AKA challenge signal 50 ', and act on behalf of AKA challenge-request signal 52 ' is forwarded to peer device 16 as authentication code by equipment 20.Peer device 16 runs AKA algorithm 54 ' with the authenticity of authentication verification token, however, if peer device 16 refusal instruction peer device 16, agent equipment 20, And there is no the authentication codes being mutually authenticated between authenticator 32, then AKA are authenticated refusal signal 76 from 16 turns of peer device It is dealt into agent equipment 20, which authenticates refusal signal 78 for EAP response-AKA in turn and be forwarded to authenticator 32.
In operation, when receiving EAP- request/AKA- challenge signal 50 ' with AT_RAND, AT_AUTN value, generation These values will be forwarded to peer device on TLS 22 by reason equipment 20.If peer device 16 refuses server authentication, right Etc. equipment 16 to agent equipment 20 send AKA- authenticate-refuse signal 76.Agent equipment 20 is using retransmission failure message as EAP- Signal 78 is refused in response/AKA- is authenticated-.
Agent equipment 20 creates on the ECU (components of system as directed) where Wi-Fi communication equipment.Agent equipment 20 handles EAP Message and it includes EAP state machines 68.Agent equipment 20 is by defining the tunnel of Transport Layer Security (TLS) 22 for EAP message It is redirected to the peer device 16 comprising USIM 18.TLS 22 provide for agent equipment 20 and peer device 16 safety and Permission, to authenticate each other and to register AKA ability.
Peer device 16 receives and processes EAP-AKA message by TLS 22, and in response to agent equipment 20, the agency Then equipment is connect with EAP-AKA state machine 68 in turn.EAP message is fed by the EAP state machine 68 on agent equipment 20, Then the agent equipment will be issued only and be used to execute one group of " smart card " API needed for EAP communication process.It is well known that using Programming interface (API) is fixed for constructing one group of sub-subroutine of the application software of communication means between the various component softwares of definition Justice, agreement and tool.
Agent equipment 20 will be intercepted by the smart card API found in Linux open source wpa_ requestor library (not shown) EAP-AKA message.Wpa_ requestor library is directly communicated with USIM 18, however, agent equipment 20 will be disappeared these by TLS 22 Breath is forwarded to the peer device 16 of the other end as intelligent card function.Agent equipment 20 will request IMSI (international mobile subscriber mark Know).
Server refusal certification.
When receiving EAP- response/AKA- challenge signal 50, server 60 will determine whether key is effective.If Key be it is invalid, then server 60 sends EAP- request/AKA- notice, so that 20 server 60 of notification agent equipment refusal is recognized Card;And EAP state machine 68 terminates;And connection failure;Even if not needing the communication with peer device in this case.Generation It manages equipment 20 and sends EAP- response/AKA- notice, to notify 32 authentification failure of server authenticator.
Join with reference to Fig. 3 and again and open Fig. 1 to Fig. 2, EAP-AKA Verification System 10 allows the communication system 12 of motor vehicles 14 Via internet 80 with multiple external systems safety and wirelessly communicate.These systems can include but is not limited to via passing through road By family's Wi-Fi system 82 of the user of the access provider 84 of the user of device 86.It can also be provided in vehicular manufacturer partner Wi-Fi Hotspot 88 at provide communication, the Wi-Fi Hotspot utilize partner provide server 90 and local router 92.Communication (such as during vehicle maintenance time) further can be provided at the Wi-Fi Hotspot 94 that vehicular manufacturer dealer provides, The server 96 and local router 98 that the Wi-Fi Hotspot utilizes dealer to provide.EAP-AKA Verification System 10 allows motor vehicle 14 communication system 12 via the cellular tower 104 for using cellular network 102 and one or more networks to provide mobile cellular System 100 carries out wireless communication.Also 80 EAP-AKA Verification System to be used for vehicular manufacturer's server 106 via internet 10 provide communication, which allows vehicular manufacturer wirelessly to collect vehicle data and distribute vehicle number According to.
The EAP-AKA Verification System 10 of the disclosure provides several advantages.These include providing a kind of method and system, to have Meaning ground and safely by go-between be inserted into agent equipment 20, with represent peer device 16 action, with agent equipment 20 and equity USIMEAP message is authenticated and handled when equipment 16 is physically separated.Implement long-distance intelligent card solution, so that the embodiment It can be used for EAP-SIM and EAP-AKA message.EAP message is not directly forwarded to peer device 16 from agent equipment 20.Agency Equipment 20 implements EAP state machine 68, and only communicates necessary smart card request and response.
The description of the disclosure is substantially only exemplary, and the variation for not departing from the main points of the disclosure is intended to be in In the scope of the present disclosure.These variations are not regarded as a departure from the spirit and scope of the invention.

Claims (10)

1. a kind of safe EAP-AKA (Extensible Authentication Protocol-Authentication and Key Agreement) Verification System, comprising:
The agent equipment of motor vehicles communication system provides the wireless communication with the authenticator of service provider;
The peer device separated with the agent equipment;And
The Ethernet tunnel for defining Transport Layer Security (TLS) component, is connected in the agent equipment and the peer device Each, and the communication between the agent equipment and the peer device is provided.
2. the system as claimed in claim 1, wherein receiving EAP Request-from the authenticator by the agent equipment When id signal, the request that the agent equipment will be used for IMSI International Mobile Subscriber Identity (IMSI) signal is forwarded to request IMSI's The peer device.
3. system as claimed in claim 2, wherein the IMSI return signal generated by the peer device is via the TLS The IMSI is returned into the agent equipment.
4. system as claimed in claim 3, wherein the EAP response-id signal generated by the agent equipment is by wirelessly It is forwarded to the authenticator.
5. system as claimed in claim 4, in which:
The polyalgorithm of the authenticator is run to generate random number and authentication token, and the random number and authentication token all exist The agent equipment is returned in EAP response-AKA challenge signal;
AKA challenge-request signal is forwarded to the peer device from the agent equipment via the TLS;And
AKA algorithm operation when receiving the AKA challenge-request signal in the peer device, to recognize described in verifying The authenticity of token is demonstrate,proved, so that identification whether there is between the peer device, the agent equipment and the authenticator It is mutually authenticated.
6. system as claimed in claim 5, in which:
It is mutually authenticated if existed between the peer device, the agent equipment and the authenticator, the equity AKA challenge-response signal is returned to the agent equipment via the TLS by equipment;And
The agent equipment will include the EAP response-AKA challenge signal wireless forwarding of key to the authenticator.
7. system as claimed in claim 6, wherein the server inspection of the authenticator is from the EAP of the agent equipment Response-AKA challenge signal, and verify whether to exist using the key from the peer device and be mutually authenticated generation Code, and if it have been confirmed that described be mutually authenticated code, then issue certification pass signal.
8. system as claimed in claim 5, in which:
If the peer device refusal indicates between the peer device, the agent equipment and the authenticator not In the presence of the authentication codes being mutually authenticated, then AKA authenticates-refuses that signal is generated by the peer device and it is by from the equity Device forwards are to the agent equipment;And
EAP response-AKA certification refusal signal is generated by the agent equipment and it from the agent equipment described in being forwarded to Authenticator.
9. system as claimed in claim 2, wherein the peer device includes the UMTS user identifier mould for storing the IMSI Block (USIM).
10. the system as claimed in claim 1, wherein the agent equipment includes the Wi-Fi component for Wi-Fi connection.
CN201910164884.7A 2018-03-09 2019-03-05 It is authenticated by the safe EAP-AKA of agency Pending CN110248363A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201815916672A 2018-03-09 2018-03-09
US15/916672 2018-03-09

Publications (1)

Publication Number Publication Date
CN110248363A true CN110248363A (en) 2019-09-17

Family

ID=67701796

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910164884.7A Pending CN110248363A (en) 2018-03-09 2019-03-05 It is authenticated by the safe EAP-AKA of agency

Country Status (2)

Country Link
CN (1) CN110248363A (en)
DE (1) DE102019105571A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101069403A (en) * 2004-10-14 2007-11-07 诺基亚公司 Proxy smart card applications
CN101983517A (en) * 2008-04-02 2011-03-02 诺基亚西门子通信公司 Security for a non-3gpp access to an evolved packet system
CN107067563A (en) * 2015-12-22 2017-08-18 通用汽车环球科技运作有限责任公司 Vehicle shares accessory device and system
US20170323116A1 (en) * 2016-05-05 2017-11-09 Sonus Networks, Inc. Use of aka methods and procedures for authentication of subscribers without access to sim credentials
WO2018008983A1 (en) * 2016-07-05 2018-01-11 Samsung Electronics Co., Ltd. Method and system for authenticating access in mobile wireless network system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101069403A (en) * 2004-10-14 2007-11-07 诺基亚公司 Proxy smart card applications
CN101983517A (en) * 2008-04-02 2011-03-02 诺基亚西门子通信公司 Security for a non-3gpp access to an evolved packet system
CN107067563A (en) * 2015-12-22 2017-08-18 通用汽车环球科技运作有限责任公司 Vehicle shares accessory device and system
US20170323116A1 (en) * 2016-05-05 2017-11-09 Sonus Networks, Inc. Use of aka methods and procedures for authentication of subscribers without access to sim credentials
WO2018008983A1 (en) * 2016-07-05 2018-01-11 Samsung Electronics Co., Ltd. Method and system for authenticating access in mobile wireless network system

Also Published As

Publication number Publication date
DE102019105571A1 (en) 2019-09-12

Similar Documents

Publication Publication Date Title
US7707412B2 (en) Linked authentication protocols
CN101032142B (en) Means and methods for signal sign-on access to service network through access network
EP3334084B1 (en) Security authentication method, configuration method and related device
EP1430640B1 (en) A method for authenticating a user in a terminal, an authentication system, a terminal, and an authorization device
US9654284B2 (en) Group based bootstrapping in machine type communication
US9668139B2 (en) Secure negotiation of authentication capabilities
KR101068424B1 (en) Inter-working function for a communication system
EP2384038B1 (en) Method and system for realizing network locking and unlocking by a terminal device
IL258598A (en) System and method for access control
CN109716724A (en) Method and system for dual network authentication of a communication device in communication with a server
CN101366299A (en) Bootstrapping authentication using distinguished random challenges
US9788202B2 (en) Method of accessing a WLAN access point
CN112396735B (en) Internet automobile digital key safety authentication method and device
US11523332B2 (en) Cellular network onboarding through wireless local area network
US11917416B2 (en) Non-3GPP device access to core network
CN108900306A (en) A kind of production method and system of wireless router digital certificate
EP3139651B1 (en) Electronic apparatus and terminal
KR20110061440A (en) Method and system for authenticating in wireless communication system
US11165773B2 (en) Network device and method for accessing a data network from a network component
EP3149884B1 (en) Resource management in a cellular network
WO2006079953A1 (en) Authentication method and device for use in wireless communication system
CN110248363A (en) It is authenticated by the safe EAP-AKA of agency
CN101742507A (en) System and method for accessing Web application site for WAPI terminal
CN106612205B (en) Node authentication method, system and proxy node
CN113194472A (en) AGV wireless access method, vehicle-mounted equipment, network equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190917

WD01 Invention patent application deemed withdrawn after publication